There have been numerous reports of rising threats to small businesses at the hands of cybercriminals. It’s a growing problem as small businesses struggle to protect themselves, mitigate breaches and, in some cases, remain functional.

What the statistics show

A recent survey found that only 9 percent of business owners admit their business was a cyberattack victim, but when given a list, 50 percent say their business has experienced at least one type of harmful cyber activity. Also troubling is that 64 percent do not have a dedicated employee or vendor in charge of detecting and combating cyberattacks. Clearly, this needs to change.

A report by FireEye and Marsh & McLennan Companies found that, on average, businesses take 146 days to detect a cyberattack. Think of the damage that can be done in that time.

Why small businesses are uniquely vulnerable

Small businesses are vulnerable because they simply don’t have the resources that large corporations do. The big companies can afford the best protections and dedicated staff to ensure that systems and data are safe, but this can prove to be much more challenging for a small business — especially one struggling to keep the doors open.

Cybercriminals understand this and target small businesses as a result. It’s often much easier for them to penetrate a small business’s security or move on and find the next one with its guard down. As security solutions provider TrendMicro notes , “For many SMBs, watching the budget is necessary to keeping the lights on and ensuring the business lives to operate another day. This leaves very little room for other initiatives or unexpected costs. Unfortunately, this lack of funds shows often in the security solutions that SMBs implement. Some organizations have the basics while others don’t have anything at all, relying on their size to avoid the attention of cybercriminals.”

Scot Ganow, co-chairman of the Privacy and Data Security practice group at Taft Stettinius & Hollister LLP, thinks companies simply don’t understand why cybercriminals target small businesses. “They mistakenly think they do not have the data the bad guys would want, are not big enough, or are not located in a big city where such hacks occur,” he says. “A company’s size and location are often irrelevant to why an attack is launched.”

What cybercriminals target within small businesses

A recent survey found that half (50 percent) say their business has experienced at least one type of harmful cyber activity: computer virus (27 percent); phishing (25 percent); Trojan horse (9 percent); ransomware (7 percent); hacking (6 percent); unauthorized access to customer information (6 percent); unauthorized access to business information (6 percent); issues due to unpatched software (6 percent); and data breach (6 percent).

A CloudNexus report indicates that the data at most risk within small businesses include: authentication data, personal health information, credit card information, proprietary data, social security numbers and financial transactions.

How to protect your small business from hackers

Regardless of how insignificant you think your company is to a criminal’s plans, you never know what kind of data they may be seeking from you or what they plan to do with it. But there are steps you can take to prepare against hackers, including:

• Educating employees on the proper protocol when opening attachments or sending sensitive information
• Performing background checks on employees to ensure that they do not have a cybercriminal history
• Backing up data so that any lost information can be recovered
• Ensuring your computers, servers, and other electronics are secure with the right firewalls and virus protection programs
• Protecting your business with security solutions and cyber liability insurance

In a recent online survey among 1,000 business owners with between 1 and 499 employees, found that while as many as 76 percent of business owners believe it’s important to establish security practices and policies to protect sensitive information, just 47 percent have actually established security practices and policies.

Having best practices and policies in place, properly training employees, and holding them accountable can be the difference between running a successful business and courting disaster in the digital age. These ten tips can help keep your business safe.

1. Make following protocol a priority

The number one priority when it comes to employee training should be making sure they understand that they are a part of what keeps business data secure. If they don’t follow protocol and ensure that the devices they use are protected, they could be the weak link in an otherwise secure network, giving viruses or other malicious code a backdoor into the system. Make sure they have the proper security software and tools on their machines and that they understand how it works and any efforts required of them.

Ideally, any software in use will receive automatic updates, but employees should be able to spot if there are any issues and know who to talk to (such as someone in the IT department) in the event that something goes wrong.

2. Have policies in place that keep sensitive data safe

You need to have formal policies written out, and you need to share these documents with all employees. But it’s not enough just to share the documents and expect employees to read them in their entirety and absorb all of their contents. It’s a good idea to have discussions about all aspects during the training process. It may even benefit you to give trainees tests about the content to ensure they really are absorbing it.

3. Teach employees about cyber threats and accountability

Employees must understand the serious nature of cyber threats and proceed accordingly. Make sure they understand how cyberattacks can damage businesses and that they know that if they violate protection policies, they will be held accountable for doing so.

4. Create strong passwords and change them regularly

Everybody knows that strong passwords help to keep accounts safe, but how many people really adhere to this common advice? Go out of your way to ensure trainees know that they must use a strong password and that they must change their password on a regular basis for increased safety. It may even be best to assign them passwords (on a regular basis). Just instruct them to keep the password safe from public accessibility, both online and off.

5. Enforce policies around payment cards

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

These are good tips to keep in mind, especially when training employees. Once again, be sure they understand that they are accountable if they use company cards and/or devices on which cards are used.

6. Require backup of all important data

Trainees need to understand that the data they create and/or deal with belongs to your company, and that this data needs to be kept safe. That doesn’t only mean that it needs to be protected from attacks, but it needs to be backed up in case of any type of disaster, including something as simple as hardware failure. Make sure they know how to back up data using methods described in your policies.

7. Only allow devices to be used by authorized individuals

Any computers, tablets, mobile phones or other electronic devices should only be used by employees who are authorized to use those specific devices. During the training process, stress the importance of obtaining authorization to use any device. Make sure trainees know that they should not use any device without authorization and that they should not let anyone else use their devices without authorization.

8. Create web content securely

Attackers frequently look for code on websites to exploit, and that means that anyone who may be creating or updating web pages should know how to do so securely and how to avoid allowing any backdoors for cybercriminals to exploit. Of course, only those authorized to do so should be updating any company websites. This is even more important on any pages that connect to sensitive information.

9. Prohibit unauthorized software

It should go without saying that unauthorized software should not be allowed on corporate devices, but you may need to make a point to discuss this during the training process, because even if there is no ill intent, employees may not think twice about adding software to their machine. They must be made aware that this is unacceptable.

10. Train on proper email use

Last, but far from least, you should discuss email use. As you know, email is a common avenue for criminals to take. Educate trainees on spam and phishing, and help them understand how to identify illegitimate emails.

Protect yourself and your business during the pandemic

These are harrowing times, but keeping informed can be one of the best ways to feel empowered. We want to highlight what to look out for and what we can all do together to help protect you and your business from cyberattacks.

The scams are out there

It’s hard to believe that people will take advantage of our current situation with the outbreak of COVID-19, but it’s part of the narrative. According to the Cybersecurity and Infrastructure Security Agency (CISA), cyber criminals could take advantage of public concern surrounding COVID-19 by launching cyberattacks. Scams began surfacing back in January with coronavirus phishing schemes and are on the rise.

Phishing attacks

The CISA notes phishing attacks, or the use of email and bogus websites created to trick victims into revealing sensitive information, will be used by cybercriminals looking to take advantage of COVID-19. 29% of business owners have fallen prey to phishing attacks, according to its 2019 Small Business Owner survey⁵.

Disinformation campaigns

Disinformation campaigns will also be used by cybercriminals, as COVID-19 creates an opportunity to spread fear, manipulate public conversation, influence policy development or disrupt markets. A disinformation campaign is typically used by cybercriminals to spread false information online. For example, a cybercriminal could share content about a fake government relief package for small-business owners. If the content is clicked on or downloaded, malicious software is spread on the user’s device.

Vulnerability of alternate workplaces

As organizations explore alternative workplace options in response to COVID-19, such as working from home, the security of information technology systems may be used by criminals to create cyber threats. Coronavirus-themed ransomware is being used to encrypt a computer’s hard drive, enabling hackers to demand payment to unlock the information and files it contains.

We did our own research

A Small Business Owner Survey found that remote workers are a leading cyber blind spot for small-business owners. This same study found that only 4% of business owners have implemented all of the cybersecurity best practices and recommendations outlined by the government.

Follow these guidelines

We looked at the best ways for you to protect yourself and your business from cyberattacks and here are 5 things you can do.

Tip 1: Combat phishing attacks.

• Do not click on links in unsolicited emails, and use caution when opening attachments
• Never share personal or financial information in email

Tip 2: Guard against disinformation campaigns.

Use trusted resources, such as government websites, for up-to-date information on COVID-19. Here’s a link to Canada.gov.ca  COVID-19 topics.

Tip 3: Use secure internet connections.

Make sure you and your employees work only from secure internet connections. When accessing any confidential or sensitive information, avoid using public Wi-Fi networks.

Tip 4: Secure your business’s information technology systems that enable remote access.

• Ensure your virtual private network (VPN) and other remote access systems are fully patched
• Enhance system monitoring to receive early detection and alerts on abnormal activity; implement multi-factor authentication

Tip 5: Back up your systems to combat ransomware attacks.

Ransomware attacks are a type of malware threat that locks valuable digital assets and files until a ransom is paid to release them. You should:

• Make sure you can restore your files should a ransomware attack occur by storing files offline and if possible, off-site
• Keep several days’ versions of backups, so you can restore your files using malware-free copies

Keep in mind, while real-time backup is convenient, it won’t be effective if your files are encrypted, because the ransomware will encrypt your files on the real-time backup.